Method of booting an operating system

ABSTRACT

For use in a system where a plurality of servers are connected to an external disk device, a method is provided for a server to boot an operating system from the external disk device. The method includes the steps of searching for the port of a network switch to which the server is connected; establishing a network to which only the server and a management server belong; sending a server information acquisition program from the management server to the server via a network boot operation; acquiring, by the server information acquisition program, unique information owned by the storage interface of the server for transfer to the management server; and setting, by the management server, a disk within the external disk device accessible from the server based on the unique information.

CROSS-REFERENCED TO RELATED APPLICATION

The present application is a continuation of application Ser. No.11/007,339, filed Dec. 9, 2004, which claims priority from Japaneseapplication JP2004-251215 filed on Aug. 31, 2004, the content of whichis hereby incorporated by reference into this application.

BACKGROUND OF THE INVENTION

The present invention relates to a disk management method used in aserver that boots an operating system from an external disk.

In general, in a server system having disk devices, the operating systemof the server is installed on the boot disk, one of the disk devicesand, when the server is started, the boot disk is detected to boot theoperating system.

One of the prior art technologies is that the system is booted from afixed disk built in the server. According to this prior art, a diskdevice on which the operating system is to be installed is provided inthe server in advance, and the operating system is installed on thatdisk for booting the server. In this case, only one boot disk isprepared for the server and, in addition, the boot disk is not sharedwith other servers.

Therefore, this prior art technology reduces the chance of other serversreferencing or updating the boot disk, thus ensuring high security.Another boot method is that an external disk array device is used forbooting. A disk array device, with a large storage capacity, can beconnected to a plurality of servers via a fiber channel or a fiberchannel switch. Booting an operating system from an external disk suchas a disk array device has a security problem. A disk array device isbasically like a network; that is, all servers connected to a disk arraydevice can reference or update the disks in the disk array device.Therefore, there is a possibility that some other server alters the bootdisk or references its contents.

To solve this problem, a disk array device uses a unique deviceidentifier WWN (World Wide Name), an identifier owned by a fiber channeldevice, to implement a function that associates the WWN of a particularserver with a disk in the disk array device. For example, a disk arraydevice has an access range limiting function that allows server 1 withthe name of WWN1 to access only disk 1 included in the disk arraydevice. This function can maintain the security of the disks amongservers. However, because a WWN is an identifier recorded in the fiberchannel adapter in a server, the operating system must be started and aprogram (agent) for acquiring the WWN must be started to acquire theWWN. Therefore, because the WWN is not yet determined when the operatingsystem is installed, the security function of the disk array devicecannot be used until the operating system is installed and then theagent is started to acquire the WWN. This means that there is a periodduring which the security is low.

One alternative method is to investigate the WWN of a server beforeinstalling an operating system and to set up the security function ofthe disk array device. However, this method sometimes generates an errorbecause a manual operation is involved and, in addition, requires timefor setting up the function for many servers. On the other hand, atechnology for acquiring a WWN without using an agent is disclosed inU.S. Patent Application Publication No. 2004/0059816A1 and thecorresponding Japanese patent application JP-A-2004-118250. This methodacquires the WWN of an accessed device of a disk array device to obtaininformation on the connection relation of the fiber channel. A problemwith this method is that the relation between a server and a WWN isunknown and therefore the method cannot be used when an operating systemis installed into a server.

SUMMARY OF THE INVENTION

It is an object of the present invention to maintain high security andto reduce the efforts to manage the server operation even in a bootsystem, in which an external disk device is used, by using the securityfunction of the disk array in advance, when an operating system isinstalled on an external disk device such as a disk array device.

For use in a system where a plurality of servers are connected to anexternal disk device, the present invention provides a method for aserver to boot an operating system from the external disk device. Themethod includes the steps of searching for the port of a network switchto which the server is connected; establishing a network to which onlythe server and a management server belong; sending a server informationacquisition program from the management server to the server via anetwork boot operation; acquiring, by the server information acquisitionprogram, unique information owned by the storage interface of the serverfor transfer to the management server; and setting, by the managementserver, a disk within the external disk device accessible from theserver based on the unique information.

A method of booting an operating system according to the presentinvention has the advantage of setting up the security of an externaldisk device before installing the operating system and automaticallyacquiring information necessary for setting up the security.

Other objects, features and advantages of the invention will becomeapparent from the following description of the embodiments of theinvention taken in conjunction with the accompanying drawings.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a diagram showing the general configuration of a firstembodiment of a computer system in which a boot disk management methodaccording to the present invention is executed.

FIG. 2 is a diagram showing the configuration of a server in the firstembodiment.

FIG. 3 is a diagram showing the configuration of a management server inthe first embodiment.

FIG. 4 is a diagram showing a server management table in the firstembodiment.

FIG. 5 is a diagram showing the configuration of a security module inthe first embodiment.

FIG. 6 is a diagram showing an example of the security module setup inthe first embodiment.

FIG. 7 is a diagram showing the sequence of the operation in the firstembodiment of the present invention.

FIG. 8 is a flowchart showing the processing of a server managementmodule in the first embodiment.

FIG. 9 is a flowchart showing the processing of a boot disk managementmodule in the first embodiment.

FIG. 10 is a flowchart showing the processing of a virtual networksetting module in the first embodiment.

FIG. 11 is a diagram showing an example of a virtual network setup inthe first embodiment.

FIG. 12 is a flowchart showing the processing of a network boot modulein the first embodiment.

FIG. 13 is a flowchart showing the processing of a network bootmanagement module in the first embodiment.

FIG. 14 is a flowchart showing the processing of a server informationacquisition agent in the first embodiment.

FIG. 15 is a flowchart showing the processing of a security settingmodule in the first embodiment.

FIG. 16 is a diagram showing the configuration of a management server ina second embodiment of a computer system in which a boot disk methodaccording to the present invention is executed.

FIG. 17 is a diagram showing a server management table in the secondembodiment.

FIG. 18 is a flowchart showing the processing of a server informationacquisition/setting agent in the second embodiment.

FIG. 19 is a flowchart showing the processing of a security settingmodule in the second embodiment.

FIG. 20 is a diagram showing the sequence of the operation in the secondembodiment.

FIG. 21 is a diagram showing the general configuration of a thirdembodiment of a computer system in which a boot disk method according tothe present invention is executed.

FIG. 22 is a diagram showing the configuration of a management server inthe third embodiment.

FIG. 23 is a diagram showing a storage management table in the thirdembodiment.

FIG. 24 is a flowchart showing the processing of a security settingmodule in the third embodiment.

FIG. 25 is a diagram showing the sequence of the operation in the thirdembodiment of the present invention.

FIG. 26 is a diagram showing the general configuration of a fourthembodiment of a computer system in which a boot disk method according tois the present invention is executed.

FIG. 27 is a diagram showing the configuration of a management server inthe fourth embodiment.

FIG. 28 is a flowchart showing the processing of a boot disk managementmodule in the fourth embodiment.

FIG. 29 is a flowchart showing the processing of a dynamic diskallocation module in the fourth embodiment.

FIG. 30 is a diagram showing the sequence of the operation in the fourthembodiment.

DESCRIPTION OF THE EMBODIMENTS First Embodiment

FIG. 1 is a general diagram of a computer system in which a method ofbooting an operating system according to the present invention is used.Each of a plurality of servers 107-1, 107-2, 107-3, - - - is connectedto a network switch (NW SW) 108 via a network interface card (NIC) 112,and to a fiber channel switch 106 via a fiber channel adapter (FCA) 111.One of the servers 107-1, 107-2, 107-3, - - - is represented by numeral107 hereinafter. Although three servers 107 are shown in FIG. 3, thenumber of servers is not limited to three but may be three or more. Thefiber channel switch 106 is connected also to a disk array device 109 toallow the server 107 to access it. The network switch 108 is connectedalso to a management server 101 that manages the system. Each of theservers 107 contains a BMC (Baseboard Management Controller) 113 formonitoring the status of the hardware of the server 107, for controllingthe power supply, and for resetting the server 107 via a network. Ingeneral, a power separate from that of the server 107 is supplied to theBMC 113 to allow the BMC 113 to be remotely controlled via a networkeven when the server 107 stops. The management server 101 monitors thestatus of, and controls, the server 107, the network switch 108, thefiber channel switch 106, and the disk array device 109 as necessary viaa network.

The management server 101 comprises a server management module 102 and aboot disk management module 103. The server management module 102manages servers as well as the devices connected to the servers. Theboot disk management module 103, a module for managing disks necessaryfor booting servers, is one of the modules that characterize the presentinvention. The boot disk management module 103 comprises a securitysetting module 104 and a server information acquisition module 105. Thesecurity setting module 104 is a module for controlling a disk arraymanagement module 115 included in the disk array device 109; morespecifically, the disk array management module 115 controls the securitymodule 116 to establish the relation between a server and one or moredisks 110-1, 110-2, 110-3, 110-4, - - - in the disk array 109. One ofthe disks is represented by numeral 110 hereinafter. The serverinformation acquisition module 105, which is a module for acquiringinformation regarding the servers, has a function to control a networkswitch management module 114 and so on in the network switch 108 foracquiring information on the servers 107.

In this embodiment, when the operating system of the server 107 isstored in the disk array device 109, the server 107 associates theserver 107 with a disk 110 in the disk array device 109 beforeinstalling the operating system.

FIG. 2 is a diagram showing the detailed configuration of the server 107in this embodiment. The server 107 comprises a memory 201 in whichprograms and data are stored, a processor 202 that executes programs inthe memory, the fiber channel adapter 111, the network interface card112, and the BMC 113. The fiber channel adapter 111 uses a communicationmodule 203 to carry out fiber channel communication that requires aunique device identifier called a WWN (World Wide Name). The WWNidentifies the other end of the fiber cannel communication. The fiberchannel adapter 111 contains a WWN storage memory 204 in which the WWNis stored, and the communication module 203 carries out communicationwhile referencing the WWN storage memory 204.

The network interface card 112 comprises a communication module 205 thatcarries out network communication and a network boot module 206. Thenetwork boot module 206, which is started when the server 107 is booted,has a function to acquire programs via the network for booting theserver 107. The BMC 113 mainly monitors and controls the hardware of theserver 107. The BMC 113 transfers hardware information on the server,and accepts and transfers control commands, via a communication module207. It is possible to use a general network communication device as thecommunication module 207. When an error occurs in the hardware of theserver 107, a server monitor module 208 detects the error and notifiesthe error via the communication module 207. The power (not shown) of theserver 107 can be turned on/off, and the hardware can be reset, remotelyvia the communication module 207. To implement this function, a power(not shown) separate from the power of the server 107 is usuallysupplied to the BMC. Therefore, even if the power of the server is off,the BMC 113 can be remotely controlled via the communication module 207.

FIG. 3 is a diagram showing the configuration of the management server101 shown in FIG. 1. The management server 101 comprises the servermanagement module 102 and the boot disk management module 103. Theserver management module 102 monitors the status of, and controls, theserver. For example, the server management module 102 monitors an eventindicating whether the currently running server is normally running oran event of a newly added server. In this case, the importantinformation is about what servers are being managed. To keep track ofthis information, the server management module 102 has a servermanagement table 301. The server management table 301 containsconfiguration information and setting information on the servers beingmonitored or controlled. The detail of the server management table 301will be described later. The boot disk management module 103 comprisesthe server information acquisition module 105 and the security settingmodule 104. The server information acquisition module 105 comprises avirtual network setting module 306 and a network boot management module302. The virtual network setting module has a function to build avirtual network (VLAN) in the network switch 108 shown in FIG. 1.

A virtual network is a function to logically divide the devices,physically connected to the same network switch, into a plurality ofnetworks. The virtual network setting module 306 in this embodimentbuilds a private network between a server being controlled and themanagement server. The network boot management module 302 performsprocessing corresponding to the network boot module 206 shown in FIG. 2.In response to a request from the network boot module 206, the networkboot management module 302 transfers network boot image data 303 andinformation necessary for the network boot operation. The network bootimage in this embodiment contains an operating system (OS) 305 and aserver information acquisition agent 304 running on the OS. The serverinformation acquisition agent 304 is set up in such a way that, when anOS 305 is booted, the server information acquisition agent 304 startsthe operation automatically. The security setting module 104 controlsthe security module 116 of the disk array device 109 to associate aserver with a disk.

FIG. 4 shows the details of the server management table 301 shown inFIG. 3. The server management table 301, a table managed by themanagement server 101, contains a list of servers managed by themanagement server 101 as well as the management information on theservers. A column 401 of the table contains the identifier of a server.The server identifier 401 may be any information by which a server canbe identified. The identifier is the serial number of the server or, ifthe server is a blade server, the blade number of the server. A column402 indicates a network connection port number. This number indicatesthe connection relation between the server 107 and the network switch108. This number may be set by the system manager if the server is anindependent server or may be set as fixed information if the connectionstatus is determined in advance as for a blade server.

In this embodiment, either method may be used for setting networkconnection port numbers. A column 403 indicates the processor type ofthe server. A column 404 indicates the size of memory installed in theserver. A column 405 indicates the location of the boot disk. “Built-indisk” is entered in this column to indicate that the OS is booted from adisk built in the server, while a disk number is entered to indicatethat the OS is booted from an external disk array device. When there aremultiple disk array devices, the device number may be entered. A column406 contains the identifier of a virtual network. When two or moreservers have the same virtual network identifier, they belong to thesame network; when two or more servers have different virtual networkidentifiers, the communication among them is logically disconnected.

FIG. 5 is a diagram showing the details of the security module 116 ofthe disk array device 109 in this embodiment. The security module has afunction to associate a server with a disk. In a case where a large disksuch as a disk array device is used, many servers are connected to thesame disk array device. In such a case, this module limits the disksthat can be referenced and updated by a server in order to protect thesecurity of data stored in the disks. More specifically, the securitymodule 116 comprises a disk mapping module 501 and a disk mapping table(502, 503, 504). When a server 107 accesses disks, the disk mappingmodule 501 limits the disks that can be accessed by the server 107according to the disk mapping table (502, 503, 504). A column 502contains the identifier of the server 107, that is, the WWN describedabove.

A column 503 contains virtual disk numbers, and a column 504 containsphysical disk numbers. For example, when access is made from the fiberchannel adapter 111 with the name of WWN1, the disk mapping functionallows access to the virtual disk numbers (LU0, LU1, LU3). The virtualdisk numbers (LU0, LU1, LU3) actually correspond to the physical disks(LU10, LU11, LU17). In this way, the security module allows a specificserver to access limited disks that are virtual. The module inhibitsaccess to the disks if access is made from a WWN not stored in the diskmapping table 502.

FIG. 6 is a block diagram showing the operation of the security module116 in FIG. 5. Server 1 (107-1) has a fiber channel adapter 111 to whichWWN1 stored in memory 204 is given. Server 2 (107-2) has a fiber channeladapter 111 to which WWN2 stored in memory 204 is given. Server 1(107-1) and server 2 (107-2) are connected to a fiber channel switch106, which is connected to a disk array device 109. A security module116 allows server 1 (107-1) to access virtual disks LU0 (612), LU1(613), and LU2 (614) corresponding to physical disks LU10 (110-1), LU11(110-2), and LU17 (110-3). On the other hand, the security module 116allows server 2 (107-2) to access virtual disks LU0 (615) and LU1 (616)corresponding to physical disks LU21 (110-4) and LU22 (110-5). Server 1(107-1) cannot access physical disks LU21 (110-4) and LU22 (110-5).Server 1 (107-1) and server 2 (107-2) correspond to the server 107 inFIG. 1. Blocks 610 and 611 in the security module 609 correspond to thedisk mapping table 502 to 504 in FIG. 5. The numeral 610 indicates thelogical disks allocated to the server with the identifier WWN1 in thedisk mapping table (FIG. 5). The numeral 611 indicates the logical disksallocated to the server with the identifier WWN2.

FIG. 7 shows the operation sequence of the first embodiment of thepresent invention. The figure shows the sequence of operations performedby a server 107, a boot disk management module 103, and a disk arraysecurity module 116. Step 704 indicates the issuance of an installationevent of a new server into a computer system. For example, in a bladeserver, an event is issued automatically when a new server blade isinstalled. For a single-unit server, it is also possible for the systemmanager to manually issue an event after the server is connected to thenetwork switch. This sequence is applicable also to an event generatedin a case in which a new server is not installed but an alreadyinstalled server, which is not yet set up, is put into use. The eventdescribed here is an event that is generated when a server, for which nodisk is yet determined for installing the OS, is newly used. This event,when generated, causes the server information acquisition module 105 ofthe boot disk management module 103 to start the operation (step 705).The server information acquisition module 105 analyzes the event and, ifit is determined that a new server is installed, calls the virtualnetwork setting module 306 (step 706). The virtual network settingmodule 306 builds a private network between the newly installed serverand the management server.

After that, a reset instruction is transferred to the server 107 (step707). When the server 107 is reset by the reset instruction, theabove-described network boot module of the server 107 starts theoperation (step 708). This causes image data to be transferred from theboot disk management module 103 (step 709). The server 107 uses thetransferred image data to start booting the OS (step 710). At the sametime the OS is booted, the server information acquisition agent isstarted automatically (step 711), which acquires various serverinformation and transfers the acquired information to the boot diskmanagement module 103 (step 712). This information includes the WWN ofthe fiber channel adapter of the server. After confirming that theserver information is transferred, the boot disk management module 103releases the virtual network built by the virtual network setting modulein step 706 to return the network status to the status before the bootdisk management module 103 was started (step 713). After that, thesecurity setting module 104 uses the WWN, included in the acquiredserver information, to request the security module 116 of the disk arraydevice to associate the server 107 with the disk 110 (step 714). Byexecuting the sequence of processing steps described above, the disk onwhich the OS is installed is automatically prepared for the newlyinstalled server. Then, the installation of the OS can be started (step716).

The following describes the sequence, shown in FIG. 7, more in detail.FIG. 8 is an operation flowchart of the server management module 102. Instep 801, a server event is detected. In step 802, the event is analyzedand whether or not a boot disk is to be allocated to the event isdetermined. If it is found that a boot disk is to be allocated, theserver management module searches for the network connection port of theevent-generating server in step 803. This is done by searching theserver management table shown in FIG. 4. In step 804, the boot diskmanagement module is called. In this case, the connection port number,acquired in step 803, is transferred as the parameter. If it is found instep 802 that a boot disk need not be allocated, the processing for theevent is performed in step 805 and the flow is ended.

FIG. 9 is a flowchart showing the processing of the boot disk managementmodule 103. In step 901, the virtual network setting module 306 iscalled. The virtual network setting module 306 has a function to build anew virtual network and a function to release a virtual network that isalready built. In step 901, a new virtual network is built. Byperforming the processing of step 901, a private virtual network isestablished between the event-generating server 107 and the managementserver 101 on a one-to-one basis. In step 902, a reset instruction issent to the event-generating server 107. The reset instruction is issuedto the BMC 113, and the BMC of the server that receives this instructionresets the server. Once reset, the server starts searching for a bootdisk. However, the OS disk is not yet determined in this embodiment, thenetwork boot module 206 is given priority to start the operation. At thesame time the network boot module 206 starts the operation, the networkboot management module 302 starts the operation. This operation will bedescribed later. The network boot management module 302 acquires the WWNof the event-generating server. In step 904, the private networkestablished in step 901 is canceled to return to the original status. Instep 905, the security setting module 104 is called with the WWN,acquired in step 903, as the parameter.

FIG. 10 is a flowchart showing the operation of the virtual networksetting module 306. In step 1001, whether the requested instruction isto build a virtual network or to release a virtual network isdetermined. When a virtual network is to be built, control is passed tostep 1002; when a virtual network is to be released, control is passedto step 1007. In step 1002, the current connection port number of theevent-generating server is saved. In step 1003, the virtual networksetting module searches for the connection port number of the managementserver. In step 1004, the current virtual network (VLAN) number of theevent-generating server is saved. This saved number is used to releasethe virtual network. The current VLAN number can be found by referringto the server management table in FIG. 4.

In step 1005, the current VLAN number of the management server is saved.In step 1006, a VLAN independent of other VLANs is built for theevent-generating server and the management server. The information usedin this case is the connection port numbers of the server and themanagement server. The virtual network setting module 306 instructs themanagement module 114 of the network switch 108 to connect the device,connected to the specified port number, to the specified VLAN. Anindependent VLAN number is found, for example, by searching the virtualnetwork column 406 of the server management table in FIG. 4 for a VLANnumber that is not set. Alternatively, it is also possible to determinea predetermined VLAN number in advance and inhibits the VLAN number frombeing used by others.

When a virtual network is to be canceled, the connection number of theevent-generating server is acquired in step 1007. In step 1008, theconnection port number of the management server is acquired. In step1009, the VLAN number saved in step 1004 is acquired. In step 1010, theVLAN number saved in step 1005 is acquired. Based on the informationacquired in the above steps, the VLAN numbers of the event-generatingserver and the management server are reset to the original status instep 1011. Building a virtual network prevents an incorrect operationthat might be caused when a server other than the management server 101reacts to the network boot module 206 and, in addition, eliminates aninfluence on the networks of other servers.

FIG. 11 shows an example of a virtual network built by the virtualnetwork setting module 306 according to the flowchart in FIG. 10.Servers 107-1, 107-2, and 107-3 are each connected to a network switch108. In this case, when a server 107-4 is newly installed, anindependent virtual network 1106 is automatically configured for amanagement server 101 and the installed server 107-4. Although a VLAN isused to build a virtual network in this embodiment, a network other thana VLAN can be used to reduce an effect on the networks of other servers.For example, it is possible to directly control the control hardware ofthe network switch 108 to build a virtual network on a hardware level.This enables a completely independent network to be built between theserver 107-4 and the management server, thus preventing a request,issued from the server 107-4 and transferred via the network, fromaffecting other servers during the processing.

FIG. 12 is a flowchart showing the processing of the network boot module206. In step 1201, the network boot module 206 issues a broadcast packetto the connected network. This packet is issued to acquire an IPaddress. Immediately after the power of the server 107 is turned on, theserver does not have an IP address (network address) and thereforecannot communicate with other devices via the network using an IPaddress. In this embodiment, a broadcast packet, if issued, is deliveredonly to the management server 101 because a virtual network is built.This makes it possible to manage a newly installed server withoutaffecting other servers. The server managing the IP addresses returns anIP address in response to the broadcast packet. In step 1202, thenetwork boot module 206 receives an IP address and sets the IP addressin the network interface card. In step 1203, the information identifyingthe server having the data necessary for booting is received. In step1204, the image data is received from the server whose information isreceived in step 1203. In step 1205, the system is booted based on theacquired image data. By executing the sequence of processing stepsdescribed above, the system can be booted via the network. The imagedata refers to a file in which the programs and data necessary forbooting the operating system is stored. The server that receives theimage data expands its contents into the memory to set up theenvironment for executing the operating system.

FIG. 13 shows the processing flow of the network boot management module302 of the management server side that corresponds to the processingflow of the network boot module 206 in FIG. 12. In step 1301, thenetwork boot management module 302 allocates an IP address in responseto a broadcast packet. In step 1302, the information on the serverhaving the image data is sent; in this embodiment, the management server101 is a server that has the image data. In step 1303, the network bootimage is sent. By performing the above processing, the system can bebooted via the network.

FIG. 14 shows the processing flowchart of the server informationacquisition agent 304. This processing is started automatically when thesystem is booted via the network in FIG. 12 and FIG. 13. In step 1401,the processor type information is acquired. In step 1402, the memorysize information is acquired. In step 1403, the WWN of the fiber channeladapter is acquired. In step 1404, the acquired information istransferred to the management server 101. The sequence of the processingsteps is prepared so that, after the OS 305 is booted via the networkboot operation, the server information acquisition agent 304 is startedautomatically to perform its processing.

FIG. 15 shows the processing flow of the security setting module 104. Instep 1501, the WWN of the event-generating server is acquired. This isdone by receiving the WWN acquired in step 1403 in FIG. 14. In step1502, a boot disk to be newly allocated to the event-generating serveris created. In this step, it is possible to request the creation of anew disk in the disk array or, alternatively, to reserve a plurality ofboot disks in advance and acquire a boot disk from the reserved bootdisks. In step 1503, a request is issued to associate theevent-generating server with the boot disk allocated in step 1502 withthe WWN acquired in step 1501 as the parameter. The security module 116processes this request. By performing the above processing, a new diskis associated with the server and the disk is prepared for installingthe OS thereon. Although the present invention is used for allocating aboot disk in this embodiment, the same procedure can be used not onlyfor allocating a boot disk but also for allocating a data disk.

Second Embodiment

FIG. 16 is a diagram showing the configuration of a management server101 in a second embodiment used in a computer system in which the methodof booting an operating system according to the present invention isused. In the second embodiment, a WWN storage memory 204 stored in afiber channel adapter 111 can be rewritten. The second embodimentdiffers from the first embodiment in a server management table 1601, aboot disk management module 1602, and a security setting module 1606.The boot disk management module 1602 differs greatly from that of thefirst embodiment in the structure of network boot image data. Unlike theserver information acquisition agent 304 in the first embodiment, aserver information acquisition/setting agent 1605, which is an agentprogram running on an OS 305, has a function to write information.

FIG. 17 shows the server management table 1601. This table correspondsto the server management table 301 in the first embodiment to which acolumn 1701 is added. The column 1701 contains the WWN to be allocatedto each server. This column contains WWN data to be written into the WWNstorage memory of the fiber channel adapter 111 when a new server isadded.

FIG. 18 shows the processing flowchart of the server informationacquisition/setting agent 1605. This processing is started automaticallywhen the network boot operation is performed as shown in FIG. 12 andFIG. 13. In step 1801, the processor type is acquired. In step 1802, thememory size is acquired. In step 1803, a WWN is set in the fiber channeladapter. The WWN data that is set in this step is the WWN correspondingto the server registered in the server management table 1601. In step1804, the acquired information is transferred to the management server101. The sequence of processing steps are prepared in such a way that,when an OS 305 is booted via a network, the server informationacquisition/setting agent 1605 is started automatically to execute theprocessing.

FIG. 19 is the processing flowchart of the security setting module 1606.In step 1901, the identifier of the event-generating server is acquired.In step 1902, the WWN information corresponding to the server whoseidentifier is acquired in step 1901 is acquired. In step 1903, a bootdisk is allocated. In this step, it is possible to request the creationof a new disk in the disk array or, alternatively, to reserve aplurality of boot disks in advance and acquire a boot disk, which is tobe allocated, from the reserved boot disks as necessary. In step 1904, arequest is issued to associate the event-generating server with the bootdisk allocated in step 1903 with the WWN acquired in step 1902 as theparameter. The security module 116 processes this request. By performingthe above processing for a fiber channel adapter whose WWN can bechanged, a new disk is associated with the server and the disk isprepared for installing the OS thereon.

FIG. 20 shows the booting sequence of the second embodiment. The figureshows the sequence of operations performed by a server 107, a boot diskmanagement module 1602, and a disk array security module 116. Step 2004indicates the installation event of a new server. For example, in ablade server, an event is issued automatically when a new server isinstalled. For a single-unit server, it is also possible for the systemmanager to manually issue an event after the server is connected to thenetwork switch. This sequence is applicable also to an event generatedin a case in which a new server is not installed but an alreadyinstalled server, which is not yet set up, is put into use. The eventdescribed here is an event that is generated when a server, for which nodisk is yet determined for installing the OS, is newly used. This event,when generated, causes the server information acquisition module 1603 ofthe boot disk management module 1602 to start the operation (step 2005).The server information acquisition module 1603 analyzes the event,determines that a new server is installed, and calls the virtual networksetting module 306 (step 2006). The virtual network setting module 306builds a private network between the newly installed server and themanagement server. After that, a reset instruction is transferred to theserver (step 2007). When the server is reset by the reset instruction,the above-described network boot module 206 of the server starts theoperation (step 2008). This causes image data to be transferred from theboot disk management module 1602 (step 2009).

The server 107 uses the transferred image data to start booting the OS(step 2010). At the same time the OS is booted, the server informationacquisition/setting agent is started automatically (step 2011), whichacquires various server information and sets the WWN (step 2012) and,after that, transfers the acquired information to the boot diskmanagement module 1602. After confirming that the server information istransferred, the boot disk management module 1602 releases the virtualnetwork built by the virtual network setting module 306 (step 2013) toreturn the network status to the status before the boot disk managementmodule 1602 was started. After that, the security setting module 1606uses the WWN, which is set in the sever, to request the security module116 of the disk array device 109 to associate the server with the disk(step 2014). By executing the sequence of processing steps describedabove, the disk on which the OS is installed is automatically preparedfor the newly installed server.

Third Embodiment

A third embodiment is characterized in that the fiber channel switchperforms the security control operation. First, the following describesthe configuration with reference to FIG. 21. A fiber channel switch 106has a function to put connection limitations, called zoning, for eachconnected port and WWN. For example, this function associates a deviceconnected to port 1 of the fiber channel switch 106 with a deviceconnected to port 10 to make those devices invisible to other devices.This function can be used for the disk allocation according to thepresent invention.

A plurality of servers 107-1, 107-2, 107-3, - - - are connected to anetwork switch (NW SW) 108 via a network interface card (NIC) 112, andto a fiber channel switch 106 via a fiber channel adapter (FCA) 111. Oneof the servers is represented by numeral 107 hereinafter. The fiberchannel switch 106 is connected also to disk devices 2107-1, 2107-2,2107-3, 2107-4, - - - to allow the server 107 to access it. One of thedisk devices is represented by numeral 2107 hereinafter. The networkswitch 108 is connected also to a management server 2101 that managesthe system. The fiber channel switch 106 contains a fiber channel switchmanagement function 2106 to allow the fiber channel switch 106 to beremotely controlled via a network. The server 107 contains a BMC(Baseboard Management Controller) 113 for monitoring the status of thehardware of the server 107, for controlling the power supply, and forresetting the server 107 via a network.

In general, a power separate from that of the server 107 is supplied tothe BMC 113 to allow the BMC 113 to be remotely controlled via a networkeven when the server 107 stops. The management server 2101 monitors thestatus of, and controls, the server 107, the network switch 108, thefiber channel switch 106, and the disk devices 2107, as necessary via anetwork. The management server 2101 comprises a server management module2102 and a boot disk management module 2103. The server managementmodule 2102 manages servers as well as the devices connected to theservers. The boot disk management module 2103, a module for managingdisks necessary for booting servers, is one of the modules thatcharacterize the present invention. The boot disk management module 2103comprises a security setting module 2104 and a server informationacquisition module 2105. The security setting module 2104 is a modulefor controlling the fiber channel switch management module 2106 includedin the fiber channel switch 106. The server information acquisitionmodule, which is a module for acquiring information regarding theservers, has a function to control a network switch management module114 and so on in the network switch 108 for acquiring information on theservers 107. In the third embodiment of the present invention, when anoperating system is installed on the disk device 2107, the server 107associates the server 107 with a disk device 2107 before the operatingsystem is installed.

FIG. 22 is a diagram showing the configuration of the management server2101. The management server 2101 comprises a server management module2102 and a boot disk management module 2103. The server managementmodule 2102 monitors the status of, and controls, the servers 107-1,107-2, 107-3, - - - . For example, the server management module monitorsan event indicating whether the currently running server is normallyrunning or an event of a newly added server. In this case, the importantinformation is about what servers are being managed. To keep track ofthis information, the server management module has a server managementtable 301 and a storage management table 2202. The server managementtable 301 contains configuration information and setting information onthe servers being monitored or controlled. The storage management table2202 is a table containing the connection relation of storage connectedto the servers. The boot disk management module 2103 comprises theserver information acquisition module 2105 and the security settingmodule 2104.

The server information acquisition module 2105 comprises a virtualnetwork setting module 306 and a network boot management module 302. Thevirtual network setting module has a function to build a virtual networkin the network switch 108 shown in FIG. 21. A virtual network is afunction to logically divide the devices, physically connected to thesame network switch, into a plurality of networks. The virtual networksetting module 306 in this embodiment builds a private network between aserver being controlled and the management server. The network bootmanagement module 302 performs processing corresponding to the networkboot module 206 shown in FIG. 2.

In response to a request from the network boot module 206, the networkboot management module 302 transfers network boot image data 303 andinformation necessary for the network boot operation. The network bootimage in this embodiment contains an operating system (OS) 305 and aserver information acquisition agent 304 running on the OS. The serverinformation acquisition agent 304 is set up in such a way that, when theOS 305 is booted, the server information acquisition agent 304 startsthe operation automatically. The security setting module 104 controlsthe fiber channel switch management module 2106 of the fiber channelswitch 106 to associate a server with a disk.

FIG. 23 shows the configuration of the storage management table 2202. Acolumn 2301 contains the identifier of a connected device and, morespecifically, the identifier of a server or the identifier of a disk. Acolumn 2302 contains the connection port number of a fiber channelswitch. A column 2303 contains the type of a connected device. Thistable indicates the connection configuration of the fiber channel switch106.

FIG. 24 shows the processing flow of the security setting module 2104.In step 2401, the identifier of an event-generating server is acquired.The server identifier acquired in this step can be used to search thestorage management table in FIG. 23 to find the port number of the fiberchannel switch 106 to which the event-generating server is connected. Instep 2402, a boot disk is allocated. In step 2403, the security settingmodule 2104 controls the fiber channel switch management module 2106 ofthe fiber channel switch 106 and, using a server connected to a port ofthe fiber channel switch 106 or the WWN acquired by the agent,associates the server with a disk device 2107 also connected to thefiber channel switch 106.

FIG. 25 shows the operation sequence of the third embodiment. The figureshows the sequence of operations performed by a server 107, a boot diskmanagement module 2103, and a fiber channel switch management module2106. Step 2504 indicates the installation event of a new server. Forexample, in a blade server, an event is issued automatically when a newserver is installed. For a single-unit server, it is also possible forthe system manager to manually issue an event after the server isconnected to the network switch. This sequence is applicable also to anevent generated in a case in which a new server is not installed but analready installed server, which is not yet set up, is put into use. Theevent described here is an event that is generated when a server, forwhich no disk is yet determined for installing the OS, is newly used.This event, when generated, causes the server information acquisitionmodule 2105 of the boot disk management module 2103 to start theoperation. The server information acquisition module 2105 analyzes theevent, determines that a new server is installed, and calls the virtualnetwork setting module 306 (step 2506). The virtual network settingmodule 306 builds a private network between the newly installed serverand the management server. After that, a reset instruction istransferred to the server (step 2507). When the server is reset by thereset instruction, the above-described network boot module 206 of theserver 107 starts the operation (step 2508).

This causes image data 303 to be transferred from the boot diskmanagement module 2103 (step 2509). The server 107 uses the transferredimage data to start booting the OS (step 2510). At the same time the OSis booted, the server information acquisition agent 304 is startedautomatically (step 2511), which acquires various server informationand, after that, transfers the acquired information to the boot diskmanagement module 2103 (step 2512). This information includes the WWN ofthe fiber channel adapter of the server. After confirming that theserver information is transferred, the boot disk management module 2103releases the virtual network (step 2513) built by the virtual networksetting module 306 in step 2506 to return the network status to thestatus before the boot disk management module 2103 was started. Afterthat, the boot disk management module 2103 requests the fiber channelswitch management module 2106 of the fiber channel switch 106 toassociate the server with a disk using the WWN included in the acquiredserver information and the storage management table 2202 (step 2514). Byexecuting the sequence of processing steps described above, the disk onwhich the OS is installed is automatically prepared for the newlyinstalled server via the fiber channel switch 106.

Fourth Embodiment

A fourth embodiment is characterized by a function that automaticallyallocates a server disk newly connected to the disk array device.

FIG. 26 is a diagram showing the general configuration of the fourthembodiment. A plurality of servers 107-1, 107-2, 107-3, - - - areconnected to a network switch (NW SW) 108 via a network interface card(NIC) 112, and to a fiber channel switch 106 via a fiber channel adapter(FCA) 111. The fiber channel switch 106 is connected also to a diskarray device 2605 to allow the server 107 to access it. The networkswitch 108 is connected also to a management server 2601 that managesthe system. Each server 107 contains a BMC (Baseboard ManagementController) 113 for monitoring the status of the hardware of the server107, for controlling the power supply, and for resetting the server 107via a network. In general, a power separate from that of the server 107is supplied to the BMC 113 to allow the BMC 113 to be remotelycontrolled via a network even when the server 107 stops.

The management server 2601 monitors the status of, and controls, theservers 107, the network switch 108, the fiber channel switch 106, andthe disk array device 2605, as necessary via a network. The managementserver 2601 comprises a server management module 2602 and a boot diskmanagement module 2603. The server management module 2602 managesservers as well as the devices connected to the servers. The boot diskmanagement module 2603, a module for managing disks necessary forbooting servers, is one of the modules that characterize the presentinvention. The boot disk management module 2603 comprises a securitysetting module 2610. A security module 2606 is a module for controllinga disk array management module 2611 in the disk array device 2605; morespecifically, the security module 2606 controls the disk arraymanagement module 2611 to associate a server with a disk 110 in the diskarray device.

A dynamic disk allocation module 2607 is one of the modules thatcharacterize the present invention. The dynamic disk allocation module2607 has a function to dynamically allocate a disk to a server 107 whena server 107 with a new WWN tries to access a disk. In the fourthembodiment of the present invention, when the operating system of aserver 107 is stored in the disk array device 2605, the server 107dynamically associates the server 107 with a disk 110 in the disk arraydevice 2605 before the operating system is installed.

FIG. 27 is a diagram showing the configuration of the management server2601 (101) shown in FIG. 26. The management server 2601 comprises theserver management module 2602 and the boot disk management module 2603.The server management module 2602 monitors the status of, and controls,servers. For example, the server management module 2602 monitors anevent indicating whether the currently running server is normallyrunning or an event of a newly added server. In this case, the importantinformation is about what servers are being managed. To keep track ofthis information, the server management module 2602 has a servermanagement table 2702. The server management table 2702 containsconfiguration information and setting information on the servers beingmonitored or controlled. The boot disk management module 2603 comprisesthe security setting module. The security setting module 2610 controlsthe security module 2606 of the disk array device 2605 to associate aserver with the disk devices 110.

FIG. 28 is a flowchart showing the processing of the boot diskmanagement module 2603. In step 2801, the server number of anevent-generating server is acquired. In step 2802, the allocation of adisk is confirmed. This step determines if the disk, allocated to theserver by the dynamic disk allocation module 2607 of the disk arraydevice 2605, is associated with a correct server. This is a processingstep to confirm that the disk is not allocated to a server incorrectly.In step 2803, whether the WWN transferred from the server matches thedisk associated by the disk array device 2605. If the WWNs do not match,the allocation is released immediately in step 2804. This releaseprocessing prevents the dynamic disk allocation module 2607 fromallocating a disk to a server incorrectly.

FIG. 29 is a flowchart showing the processing of the dynamic diskallocation module 2607. In step 2901, whether the WWN of the server thataccesses a disk is a WWN registered in the security module 2606. If theaccess is made from a server with a WWN that is not registered, controlis passed to step 2902 to determine if the WWN satisfies the standard.Because a WWN issued by some manufacturer conforms to a predeterminedrule, the dynamic disk allocation is allowed if the access is made froma device of a specific manufacturer in accordance with that rule. If theWWN satisfies the standard, control is passed to step 2903 to allocate anew disk. In step 2904, the WWN and the newly allocated disk areassociated. The processing steps described above prevent a disk frombeing allocated when access is made from an incorrect server.

FIG. 30 shows the operation sequence of the fourth embodiment. Thefigure shows the sequence of operations performed by the server 107, theboot disk management module 2603, and the security module 2606 of thedisk array. In step 3004, access is made from a new server to the diskarray. When this access is made, the security module 2606 in the diskarray device 2605 dynamically allocates a disk (step 3005). This dynamicallocation requires the number of processing steps fewer than thatrequired in other embodiments. However, when the system is composed of aplurality of servers, it is necessary to confirm that the disk isallocated to a correct server. To do so, it is necessary to confirm thatthe disk is allocated to the new server correctly, using the WWNreceived from the server information acquisition agent that runs on theinstalled OS (step 3008). By executing this processing step, the diskcan be associated with a correct server in fewer processing steps.

The method according to the present invention, which is for use in acomputer system where common external disks are provided for a pluralityof servers and an operating system of each server is booted from thoseexternal disks, uses the security function of a disk array device toprevent updating and alteration from other servers and, thus, boots theoperating system safely. Information necessary for setting up thisbooting method can be acquired automatically. Therefore, the methodaccording to the present invention gives great advantages to a computersystem where common disks are used and ensures high usability in thisfield.

It should be further understood by those skilled in the art thatalthough the foregoing description has been made on embodiments of theinvention, the invention is not limited thereto and various changes andmodifications may be made without departing from the spirit of theinvention and the scope of the appended claims.

1. A booting method for use in a computer system having a plurality ofservers connected to an external disk device via a first network and amanagement server that is connected to said plurality of servers via asecond network and manages said plurality of servers, wherein anoperating system of said plurality of servers is booted from saidexternal disk device via said first network, said booting methodcomprising the steps of: storing, by said management server, settinginformation of the second network; establishing a virtual network insaid second network between a first server of said plurality of serversand said management server, said virtual network being independent ofother servers; sending an agent program from said management server tosaid first server via said second network; transferring configurationinformation of said first server acquired by the agent program to saidmanagement server via said second network; and restoring the storedsetting information of said second network.